German Automotive Sector Targeted with Info-Stealer Campaign

Industry: Automotive | Level: Tactical | Source: CheckPoint

A threat operation, discovered by Check Point, identified information-stealing malware targeting 14 German organizations, primarily those in the automotive industry including dealerships and manufacturers. The campaign was tracked back to at least July 2021. German automotive businesses were used for the disguise of this campaign, with the attackers hosting domains imitating the businesses to distribute emails and host malware. The phishing email contains an ISO file to bypass NTFS Mark-of-the-Web trust control (MOTW) with an HTA within. The HTA file then spawns Mshta.exe with either VBScript or PowerShell being executed to download additional payloads or to modify the registry. Payload delivered would include various information-stealing malware such as Raccoon, AZORult, and BitRAT. Information compromised would include personal, and credit card information. The attribution of the campaign is currently unclear, hosted infrastructure was identified in Iran, but doesn't provide any definitive evidence of attribution. Additionally, the attacker's exact motives remain undetermined, despite obtaining personal and financial information, a larger play of espionage or business fraud is a potential.

Anvilogic Scenario:

• Malicious Document Delivering Malware

Anvilogic Use Cases:

• MSHTA.exe execution
• BITSadmin Execution
• Modify Registry Key
• Invoke-WebRequest Command
• Output to File